Policy-based virtualization method involving adaptive enforcement

US 8,272,031 B2
Filed: 09/23/2009
Issued: 09/18/2012
Est. Priority Date: 09/23/2009
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium storing instructions, that when executed by a computer, cause the computer to:

execute a first system software instance in a virtualized environment;

execute a policy enforcement point (PEP); and

receive from a policy decision point (PDP) a decision as to whether a second system software instance should be allowed to execute concurrently with the first system software instance in the virtualize environment, wherein the policy enforcement point (PEP) is configured to selectively prevent the execution of the second system software instance in the virtualized environment based on the decision of the policy decision point (PDP).

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in which a permission for running a system software instance alongside another system software instance is issued on the basis of a first policy rule concerning the operation of a first software application and a second policy rule concerning the execution of second software application.

11 Citations

View as Search Results

20 Claims

1. A non-transitory computer readable medium storing instructions, that when executed by a computer, cause the computer to:
- execute a first system software instance in a virtualized environment;
  
  execute a policy enforcement point (PEP); and
  
  receive from a policy decision point (PDP) a decision as to whether a second system software instance should be allowed to execute concurrently with the first system software instance in the virtualize environment, wherein the policy enforcement point (PEP) is configured to selectively prevent the execution of the second system software instance in the virtualized environment based on the decision of the policy decision point (PDP).
- View Dependent Claims (2, 3, 4)
- - 2. The non-transitory computer readable medium of claim 1 wherein the decision depends on a telecommunications network policy rule related to the operation of software executing inside the first system software instance.
  - 3. The non-transitory computer readable medium of claim 1 wherein the decision depends on a characteristic of software executing inside the first system software instance.
  - 4. The non-transitory computer readable medium of claim 1 wherein the decision depends on an amount of computing resources available.

5. A system, comprising:
- a first telecommunications network node comprising a first server software and a processor, wherein the first server software is associated with a first telecommunications network perimeter, wherein the processor of the first node is operable to execute a first system software instance and a policy enforcement point (PEP);
  
  a second telecommunications network node comprising a second server software and a processor, wherein the second server software is associated with a second telecommunications network perimeter, wherein the processor of the second telecommunications network node is operable to execute a policy decision point (PDP);
  
  wherein the policy decision point (PDP) is configured to decide when a second system software instance should be allowed to execute concurrently with the first system software instance on the first telecommunications network node in a virtualized environment, wherein the decision depends on a first network policy rule related to the first telecommunications network perimeter and a second network policy rule related to the security of the second telecommunications network perimeter; and
  
  wherein the policy enforcement point (PEP) is configured to selectively prevent the execution of the second system software instance in the virtualized environment based on the decision of the policy decision point (PDP).

6. A method, comprising:
- transmitting a message by a software module indicating a permission to execute on a node a first server concurrently with a second server in a virtualized environment, wherein;
  
  the first server is executing within a first system software instance, and the second server is within a second system software instance;
  
  the permission depends on a first telecommunications network policy rule and a second telecommunications network policy rule, wherein;
  
  the first telecommunications network policy rule relates to the operation of the first server, andthe second telecommunications network policy rule relates to the operation of the second server.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method of claim 6 wherein the permission depends on hardware resources of the node.
  - 8. The method of claim 6 comprising:
    - evaluating the hardware resources of the node; and
      
      transmitting a message indicating a hardware upgrade for the node.
  - 9. The method of claim 6 wherein the message indicating permission is transmitted in response to a detection of an instantiation of the second system software instance on the node.
  - 10. The method of claim 6 wherein the message indicating permission is transmitted in response to a detection of a request for system services by the second system software instance.
  - 11. The method of claim 6 wherein the message indicating permission depends on a telecommunications network policy rule concerning the concurrent execution of multiple system software instances on the node in the virtualized environment.

12. A method, comprising:
- transmitting from a first node, a message indicating a permission to execute on a second node a first software concurrently with a second server, wherein;
  
  the first software is executed within a first system software instance, and the second software is executed within a second system server instance;
  
  the permission is based on a first telecommunications network policy rule and a second telecommunications network policy rule, wherein;
  
  the first telecommunications network policy rule relates to the operation of the first server, andthe second telecommunications network policy rule relates to the operation of the second server;
  
  transmitting from the first node to the second node a message identifying a telecommunications network policy rule to be implemented by firewall software executed on the second node; and
  
  in response to receipt of the message, launching at the second node, an instance of firewall software implementing the rule.

13. A method comprising:
- receiving a first telecommunications network policy rule, wherein the first rule relates to the operation of a first server in a telecommunications network;
  
  receiving a second telecommunications network policy rule, wherein the second rule relates to the operation of second server in the telecommunications network;
  
  transmitting a message containing a permission to migrate the second server to a virtualized environment of a first telecommunications network node, wherein;
  
  a first telecommunications network node is host to the first server,the first server is executing within a first system software instance,the migration of the second server to the first telecommunications network node comprisesthe instantiation of a second system software instance at the first telecommunications network node andexecuting the second server within the second system software instance; and
  
  the permission depends on the first telecommunications network policy rule and second telecommunications network policy rule.

14. A method, comprising:
- receiving a first telecommunications network policy rule, wherein the first telecommunications network policy rule relates to the operation of a first server in a telecommunications network;
  
  receiving a second telecommunications network policy rule, wherein the second telecommunications network policy rule relates to the operation of second server in the telecommunications network;
  
  transmitting a message containing a permission to migrate the second server a virtualized environment of a first telecommunications network node, wherein;
  
  the first telecommunications network node is host to the first server,the first server is executing within a first system software instance,the migration of the second server to the first telecommunications network node comprises the instantiation of a second system software instance at the first node and executing the second server within the second system software instance; and
  
  the permission depends on the first telecommunications network policy rule and second telecommunications network policy rule; and
  
  transmitting a message indicating a suggestion for a hardware upgrade of the first node, wherein the suggestion depends on the expected utilization of computer hardware resources by the first virtual server.

15. A method, comprising:
- receiving a first telecommunications network policy rule, wherein the first telecommunications network policy rule relates to the operation of a first server in a telecommunications network;
  
  receiving a second telecommunications network policy rule, wherein the second telecommunications network policy rule relates to the operation of second server in the telecommunications network;
  
  transmitting a message containing a permission to migrate the second server a virtualized environment of a first telecommunications network node, wherein;
  
  the first node is host to the first server,the first server is executing within a first system software instance,the migration of the second server to the first node comprises the instantiation of a second system software instance at the first node and executing the second server within the second system software instance; and
  
  the permission depends on the first policy rule and second policy rule;
  
  transmitting an indication of a third telecommunications network policy rule, wherein;
  
  the third telecommunications network policy rule is to be implemented by a firewall software, wherein the firewall software is executing on the first node, andthe third telecommunications network policy rule depends on the first rule and second rule.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15 comprising:
    - transmitting a message indicating a suggestion for a hardware upgrade of the telecommunications network node, wherein the suggestion depends on the expected utilization of computer hardware resources by the first virtual server.
  - 17. The method of claim 15 comprising transmitting an indication of a third telecommunications network policy rule, wherein:
    - the third telecommunications network policy rule is to be implemented by a firewall software, wherein the firewall software is executing on the telecommunications network node,the third telecommunications network rule depends on the first telecommunications network rule and second telecommunications network rule.

18. A method comprising:
- receiving a request to migrate a second virtual server to a virtualized environment of a telecommunications network node, wherein the first telecommunications network node is executing a first virtual server; and
  
  transmitting a message containing a permission to migrate the second virtual server to the telecommunications network node, wherein;
  
  the first virtual server is executing within a first system software instance,and the migration of the second virtual server to the telecommunications network node comprises the instantiation of a second system software instance at the telecommunications network node and executing the second virtual server within the second system software instance; and
  
  the permission depends on a first telecommunications network policy rule and a second telecommunications network policy rule.

19. A system comprising:
- a first telecommunications network node executing a virtualized environment, wherein the first node is operable to execute a first virtual server and a first software module, wherein the first virtual server is executing within a first system software instance;
  
  a second software module, wherein the second software module decides whether a second virtual server should be allowed to execute within a second system software instance concurrently with the first virtual server on the first node; and
  
  wherein the first software module selectively prevents the operation of the second virtual server on the basis of a decision provided by the second software module.
- View Dependent Claims (20)
- - 20. The system of claim 19 further comprising a second telecommunications network node, wherein the second telecommunications network node is operable to execute the second software module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Abderrazzaq, Saad, Mani, Mahalingam, Srinivas, Tanjore K.
Primary Examiner(s)
Song, Hosuk

Application Number

US12/565,063
Publication Number

US 20110072504A1
Time in Patent Office

1,091 Days
Field of Search

726 1- 4, 726 6- 7, 726/11, 726 26- 27, 726/30, 713150-153, 709/217, 709/225, 709/229
US Class Current

726/1
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 67/30 Profiles

Policy-based virtualization method involving adaptive enforcement

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based virtualization method involving adaptive enforcement

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links